Popular errors administrators jabber-servers
Due to the fact that after recent events, it became like mushrooms after the rain to multiply topics on how to set up your jabber server, I decided to list some basic errors and misconceptions of those who set up the jabber server for the first time. It will be about:
Yes, these records are optional according to RFC 3920 and RFC 3921, but there were several times references to the fact that without these records problems arise. Creating
Not to be unfounded, I will say that the Telepathy client in one of the version with the default settings could not connect to the server if there was no SRV record in the DNS zone.
For details, see clause 11.2 of RFC 3921 and clauses 14.3 and 14.4 of RFC 3920 .
You can say "we are honest people, we have nothing to encrypt," but this is not quite so. Recall GMail - they enforce encryption when working with mail via IMAP or POP3. It is possible that in the absence of any SSL certificate, the connection between your server and GTalk will not be established. Also a year ago, the idea of ​​the Trusted Federation was voiced by the XMPP Consul, i.e. prohibit unencrypted connections between servers. From all this it follows that SSL is worth it.
')
Clause 14.2 of RFC 3920 allows the use of any certificates, including self-signed certificates, which are often installed by default. But also this clause states that in the case of a self-signed certificate, the client MUST issue a warning to the user about an invalid certificate - this, of course, is true from a security point of view, but will not bring joy to the user. So, therefore, it is worth getting a “normal” certificate.
If you do not have your own CA , which all your users trust, or you don’t want to spend several hundred dollars to purchase an SSL certificate from one of the well-known CA, then you can use the ICA XMPP Foundation , get an SSL certificate for your jabber server in this case is free. Moreover, a significant number of popular jabber-clients "trust" certificates issued by XMPP ICA.
The main misconception of users about the transport is as follows:
PS By the way, jabber on the 4th of January was 10 years old :-)
[1] Yes, MX records are optional. RFC 5321 claims this.
[2] I’m not sure that SRV records are required for transports. Logically, it is required, but nowhere have I mentioned this.
- SRV Records
- SSL certificates
- Misconceptions about transport
SRV Records
Yes, these records are optional according to RFC 3920 and RFC 3921, but there were several times references to the fact that without these records problems arise. Creating
_xmpp-server._tcp.example.com and _xmpp-client._tcp.example.com not difficult, but it can save you a _xmpp-client._tcp.example.com headaches. Not to register SRV records for a jabber server is about the same as not to register MX records for a mail server, both of which are not strictly necessary [1] , but save you from some problems.Not to be unfounded, I will say that the Telepathy client in one of the version with the default settings could not connect to the server if there was no SRV record in the DNS zone.
For details, see clause 11.2 of RFC 3921 and clauses 14.3 and 14.4 of RFC 3920 .
SSL certificates
You can say "we are honest people, we have nothing to encrypt," but this is not quite so. Recall GMail - they enforce encryption when working with mail via IMAP or POP3. It is possible that in the absence of any SSL certificate, the connection between your server and GTalk will not be established. Also a year ago, the idea of ​​the Trusted Federation was voiced by the XMPP Consul, i.e. prohibit unencrypted connections between servers. From all this it follows that SSL is worth it.
')
Clause 14.2 of RFC 3920 allows the use of any certificates, including self-signed certificates, which are often installed by default. But also this clause states that in the case of a self-signed certificate, the client MUST issue a warning to the user about an invalid certificate - this, of course, is true from a security point of view, but will not bring joy to the user. So, therefore, it is worth getting a “normal” certificate.
If you do not have your own CA , which all your users trust, or you don’t want to spend several hundred dollars to purchase an SSL certificate from one of the well-known CA, then you can use the ICA XMPP Foundation , get an SSL certificate for your jabber server in this case is free. Moreover, a significant number of popular jabber-clients "trust" certificates issued by XMPP ICA.
Misconceptions about transport
The main misconception of users about the transport is as follows:
you need to register on the server where there are a lot of transports.This misconception is supposedly cultivated by the fact that most administrators of jabber servers either prohibit access to their transports from other servers, or simply forget to prescribe the appropriate A and SRV citation. [2] DNS records for their transports and, thus, users of other servers do not have the technical ability to use them.
PS By the way, jabber on the 4th of January was 10 years old :-)
[1] Yes, MX records are optional. RFC 5321 claims this.
[2] I’m not sure that SRV records are required for transports. Logically, it is required, but nowhere have I mentioned this.
Source: https://habr.com/ru/post/50182/
All Articles